The Internet firewall monitors traffic between the Internet and your public IP addresses. After you activate Cloud Firewall, you can enable or disable the Internet firewall for public IP addresses within your Alibaba Cloud account. You can also apply the default Allow policies to security groups of Elastic Compute Service (ECS) instances. This helps simplify the configuration of security group rules. This topic describes how to configure the Internet firewall.

Background information

The quota of public IP addresses is not exhausted. The quota refers to the maximum number of public IP addresses that the Internet firewall can protect. For more information about the quotas in different Cloud Firewall editions, see Functions and features. To increase a quota, you can go to the Upgrade/Downgrade page and increase the value of Protected Public IP Addresses. For more information, see Renewal.

Protected assets

The Internet firewall can protect the north-south traffic of the following assets: public IP addresses of Elastic Compute Service (ECS) instances, elastic IP addresses (EIPs) of Server Load Balancer (SLB) instances, public IP addresses of SLB instances, high-availability virtual IP addresses (HAVIPs), EIPs, EIPs of ECS instances, EIPs of elastic network interfaces (ENIs), EIPs of NAT gateways, IPv6 addresses of SLB instances, IPv6 addresses of ECS instances, and IP addresses of bastion hosts.

Enable or disable the Internet firewall

Note We recommend that you enable the Internet firewall for all assets within your Alibaba Cloud account.
  1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
  2. On the Internet Firewall tab, click Update Assets. Then, the system synchronizes the information about assets within the current account and within the current account of the members.
    The process requires 1 to 2 minutes.
  3. Enable or disable the Internet firewall in the following scenarios:
    • Enable or disable the Internet firewall for all public IP addresses

      In the Public IP, By Asset Region, or Asset Type section, click Enable Firewall or Disable Firewall to enable or disable the Internet firewall for all public IP addresses with a few clicks.

    • Enable or disable the Internet firewall for one or more public IP addresses
      1. In the list of public IP addresses on the IPV4 or IPV6 tab, find the IP address for which you want to enable or disable the Internet firewall.

        You can search for the IP address based on conditions such as Asset Type, Region, and Protection Status. Alternatively, you can enter an instance ID or UID in the search box to search for the IP address.

      2. Click Enable Firewall or Disable Firewall in the Actions column to enable or disable the Internet firewall for the IP address.
    • Enable or disable the Internet firewall for public IP addresses that are newly added

      By default, Automatically Enable Firewalls for New Assets is turned off. If you turn on Automatically Enable Firewalls for New Assets, the Internet firewall is automatically enabled for public IP addresses that are newly added to your Alibaba Cloud account.

    After you enable the Internet firewall, the firewall status changes to Enabled in the Firewall Status column. The value Enabled indicates that the Internet firewall takes effect. After you disable the Internet firewall, the firewall status changes to Disabled in the Firewall Status column. The value Disabled indicates that the Internet firewall no longer provides protection.

Apply default Allow policies to a security group

By default, ECS security groups deny the inbound traffic from the Internet to ECS instances. If you want to allow the inbound traffic, you can apply default Allow policies to a security group in the Cloud Firewall console. You do not need to modify the security group rules on the Security Groups page of the ECS console.

How default Allow policies work

Cloud Firewall applies four access control policies with the lowest priority to the security groups of an ECS instance that has a public IP address. These policies allow traffic from the Internet to the public IP address. The access control policies are considered security group rules. The lowest priority is 100. The four policies are automatically created. You need only to confirm and save them for the security groups.
Note The default Allow policies take effect only on traffic allowed by security group rules. The policies do not take effect on denied traffic.

Edition limits

  • Advanced security groups do not support default Allow policies. If an advanced security group contains ECS instances in a virtual private cloud (VPC), default Allow policies cannot be applied to the security groups that contain the ECS instances in the VPC. For more information, see Advanced security groups.
  • Default Allow policies can be applied only to security groups of an ECS instance that has a public IP address or an elastic IP address (EIP) to allow inbound traffic from the Internet to the public IP address or EIP. You cannot apply default Allow policies to security groups to allow inbound traffic from the Internet to Internet-facing Server Load Balancer (SLB) instances.
  • To better protect your assets, we recommend that you do not apply default Allow policies to IP addresses for which the firewalls provided by Cloud Firewall are disabled. We recommend that you do not disable the firewalls for IP addresses to which you have applied default Allow policies. Otherwise, the IP addresses may be exposed to the Internet.
Warning To avoid serious security risks to your business, take note of the following descriptions:
  • Do not apply the default Allow policies to IP addresses for which the firewalls provided by Cloud Firewall are disabled.
  • If traffic redirection is not supported for the public IP address of an ECS instance or an Internet-facing SLB instance, we recommend that you do not apply the default Allow policies to that IP address.
  • If your Cloud Firewall expires and you no longer need it, you can go to the Security Groups page in the ECS console to delete the four default Allow policies that are added by Cloud Firewall. For more information, see Delete a security group rule.
  1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
  2. On the Internet Firewall tab, find the IP address of an ECS instance to which you want to apply default Allow policies and click Apply.
  3. In the Default Allow Policy dialog box, find the security group to which the IP address is added and perform the following operations.
    • The existing rules of the security group do not conflict with the default Allow policies
      1. Click One-click Apply. in the Actions column. In the Default Allow Policy > One-click Apply dialog box, view the four default Allow policies that are automatically created by Cloud Firewall.
      2. Confirm the policies and click OK. In the message that appears, click Submit. The inbound traffic from the Internet to the security group is allowed.
        Note After you click Submit, all inbound traffic from the Internet to the ECS instances in the security group is allowed. We recommend that you check whether the public IP addresses of the ECS instances in the security group are exposed to the Internet. If the public IP addresses are exposed, make sure that access control policies are applied to these IP addresses in Cloud Firewall.
      3. You can click View to view details about all the security groups.

        After you click One-click Apply for all security groups to which the IP address is added, the policies take effect, and the status in the Default Allow Policy column becomes Applied.

        Important After you apply the default Allow policies, the security groups Allow inbound traffic from the Internet by default. Take note of the following descriptions:
        • After you apply the default Allow policies, make sure that the firewall for the IP address in the Cloud Firewall console is enabled and create inbound access control policies on the Internet Firewall tab of the Access Control page.
        • After you apply the default Allow policies to the security groups of an ECS instance that has the public IP address, the inbound traffic from the Internet to the ECS instances in the security groups is allowed by default. We recommend that you configure an appropriate number of ECS instances when you configure a security group. This helps limit the number of ECS instances that are exposed to the Internet.
        • If Cloud Firewall expires, the security groups to which you have applied the default Allow policies are no longer protected by Cloud Firewall. We recommend that you renew Cloud Firewall after you receive a renewal notification or reconfigure the inbound rules of the security groups to protect your ECS instances. After you apply the default Allow policies, Cloud Firewall applies four inbound rules to the security groups. The policies are retained in the security groups and are in effect. If you no longer use Cloud Firewall, go to the Network & Security > Security Groups page in the ECS console to delete the policies.
    • The existing rules of the security group conflict with the default Allow policies
      • The conflicts can be resolved

        The security group has existing rules whose priorities are greater than or equal to 100. This results in conflicts with the default Allow policies. Cloud Firewall can increase the priorities of the existing rules to resolve the conflicts.

        Cloud Firewall automatically increase the priorities of the existing rules. You need to only click Adjust with One Click and click OK in the Default Allow Policy dialog box. Then, Cloud Firewall automatically adjusts the priorities of the existing rules.

      • The conflicts cannot be resolved

        The security group has existing rules whose priorities are greater than or equal to 100. This results in conflicts with the default Allow policies. Cloud Firewall cannot adjust the priorities of the existing rules to resolve the conflicts.

        If the conflicts cannot be resolved, we recommended that you go to the Security Groups page in the ECS console to view and adjust the priorities of existing rules, or join the DingTalk group numbered 33081734 to obtain technical support on Cloud Firewall.

    After you apply the default Allow policies, you can go to the Firewall Settings > Internet Firewall tab to check whether the policies are applied to the security groups of your ECS instances. If the policies fail to be applied, troubleshoot the failure at the earliest opportunity.

    The default Allow policies can be in one of the following states:

    • Applied: The policies are applied to all security groups of the ECS instance that has the IP address. All inbound traffic from the Internet to the ECS instances in the security groups are allowed. If an ECS instance is added to multiple security groups, you must apply the default Allow policies to all the security groups before the policies can take effect.
    • Not Applied: The policies are applied only to some security groups of the ECS instance that uses the IP address. In this case, the security group rules control inbound traffic from the Internet to the ECS instance. If configuration conflicts among security group rules exist or you did not perform the One-click Apply operation, the policies may be in the Not Applied state.
    • Not Supported: This type of asset does not support default Allow policies. Default Allow policies are supported only for public IP addresses and EIPs of ECS instances. IP addresses such as IP addresses of SLB instances, EIPs of elastic network interfaces (ENIs), and EIPs of network address translation (NAT) gateways are not supported.

What to do next

You can perform the following operations based on your business requirements:

  • Upgrade specifications

    Click Increase Quota for Policies to upgrade the edition of Cloud Firewall or upgrade the specifications. For more information, see Renewal.

  • View the numbers of unprotected and protected IPv6 addresses and IPv4 addresses
    1. Click the view icon to view the numbers of unprotected and protected IPv6 addresses and IPv4 addresses.
    2. Click the number of IPv6 addresses or IPv4 addresses. The information about the IP addresses is displayed in the list of public IP addresses in the lower part of the page.

      For example, if you click the number of unprotected IPv6 addresses, the information about the IPv6 addresses is displayed in the list of public IP addresses.